├── .DS_Store
├── README.md
├── ThumbHooked.mp4
├── jni
    ├── .DS_Store
    ├── Android.mk
    ├── Application.mk
    ├── InlineHook
    │   ├── .DS_Store
    │   ├── Android.mk
    │   ├── Ihook.c
    │   ├── Ihook.h
    │   ├── fixPCOpcode.c
    │   ├── fixPCOpcode.h
    │   ├── ihookstub.s
    │   └── ihookstubthumb.s
    └── Interface
    │   ├── .DS_Store
    │   ├── Android.mk
    │   └── InlineHook.cpp
├── libs
    └── armeabi-v7a
    │   └── libInlineThumbHook.so
├── notThumbHooked.mp4
├── obj
    └── local
    │   └── armeabi-v7a
    │       ├── libIHook.a
    │       ├── libInlineArmHook.so
    │       ├── libInlineHook.so
    │       ├── libInlineThumbHook.so
    │       └── objs
    │           ├── IHook
    │               ├── IHook.o
    │               ├── IHook.o.d
    │               ├── fixPCOpcode.o
    │               ├── fixPCOpcode.o.d
    │               ├── ihookstub.o
    │               └── ihookstubthumb.o
    │           ├── InlineArmHook
    │               ├── InlineHook.o
    │               └── InlineHook.o.d
    │           ├── InlineHook
    │               ├── InlineHook.o
    │               └── InlineHook.o.d
    │           └── InlineThumbHook
    │               ├── InlineHook.o
    │               └── InlineHook.o.d
├── thumb-2-example.apk
├── thumb-2-example.zip
├── thumb-2-example
    ├── libnative-lib.idb
    └── libnative-lib.so
├── thumbhook.pdf
└── todo.txt


/.DS_Store:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GToad/Android_Inline_Hook_Thumb_Example/84af85b113536d431b25110567f5784d750edd3b/.DS_Store


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | This is the example of my [Android Inline Hook Project](https://github.com/GToad/Android_Inline_Hook.git) in thumb mode. So I will only update that repo.
 2 | 
 3 | The target APP is `thumb-2-example.apk` and our .so file has already been compiled in `/libs/armeabi-v7a/libInlineThumbHook.so`.
 4 | 
 5 | In this APP, you should wait for more than 30 seconds and it will show `Enough. You Win!` in the middle of the screen. After the example `libInlineThumbHook.so` is effective, the register R0 will be set to 0x333 (>10) so you will get `Enough. You Win!` immediately.
 6 | 
 7 | `notThumbHooked.mp4` shows the APP run in a normal environment.
 8 | 
 9 | `ThumbHooked.mp4` shows the APP run in a hooked environment.
10 | 
11 | The pictures of effect are showed below:
12 | 
13 | ![](https://gtoad.github.io/img/in-post/post-android-native-hook-practice/notThumbHooked.png)
14 | ![](https://gtoad.github.io/img/in-post/post-android-native-hook-practice/ThumbHooked.png)
15 | 
16 | # Android Inline Hook
17 | 
18 | This project make an Android .so file that can automatically do some native hook works.
19 | 
20 | It mainly use Android Inline Hook, not PLT Hook.
21 | 
22 | If you can read Chinese or wanna see more picture, I've wrote some articles about this repo and the first one is the main article. `I highly recommend you to read the articles before reading the code.` These article will save you a lot of time, I promise.
23 | 
24 | 1. [Android Inline Hook Practice](https://gtoad.github.io/2018/07/06/Android-Native-Hook-Practice/)
25 | 2. [Opcode Fix In Android Inline Hook](https://gtoad.github.io/2018/07/13/Android-Inline-Hook-Fix/)
26 | 3. [An Introduction to Android Native Hook](https://gtoad.github.io/2018/07/05/Android-Native-Hook/)
27 | 
28 | # How To Use
29 | 
30 | The only thing you have to change is the code in `InlineHook.cpp`.
31 | 
32 | You can name the `__attribute__((constructor)) ModifyIBored()` function at your will and change the follow arg in it:
33 | 
34 | 1. `pModuleBaseAddr` is the address of your target so.
35 | 2. `target_offset` is the offset of your hook point in the target so.
36 | 3. `is_target_thumb` shows the hook point's CPU mode. You can know this information in the work of reversing before the hook work.
37 | 
38 | `EvilHookStubFunctionForIBored` function is the thing you really wanna do when the hook works. You can name at your will, but keep the arg `(pt_regs *regs)`. It brings you the power to control the registers, like set r0 to 0x333 : `regs->uregs[0]=0x333;`.
39 | 
40 | After you finish the args above, just `ndk-build` and you will get your .so file.
41 | 
42 | # Example
43 | 
44 | I've make some examples in other repo, it includes code and the target APK file.
45 | 
46 | 1. [thumb-2 example](https://github.com/GToad/Android_Inline_Hook_Thumb_Example.git)
47 | 2. [arm32 example](https://github.com/GToad/Android_Inline_Hook_Arm_Example.git)
48 | 
49 | # Contact
50 | 
51 | I believe that this project still has some problems. If you find some bugs or have some problems, you can send e-mail to `gtoad1994@aliyun.com`. I wish we can fix it together!
52 | 
53 | # Reference
54 | 
55 | [Game Security Lab of Tencent](http://gslab.qq.com/portal.php?mod=view&aid=168)
56 | 
57 | [Ele7enxxh's Blog](http://ele7enxxh.com/Android-Arm-Inline-Hook.html)
58 | 
59 | 
60 | 
61 | 
62 | 


--------------------------------------------------------------------------------
/ThumbHooked.mp4:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GToad/Android_Inline_Hook_Thumb_Example/84af85b113536d431b25110567f5784d750edd3b/ThumbHooked.mp4


--------------------------------------------------------------------------------
/jni/.DS_Store:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GToad/Android_Inline_Hook_Thumb_Example/84af85b113536d431b25110567f5784d750edd3b/jni/.DS_Store


--------------------------------------------------------------------------------
/jni/Android.mk:
--------------------------------------------------------------------------------
1 | include $(call all-subdir-makefiles)


--------------------------------------------------------------------------------
/jni/Application.mk:
--------------------------------------------------------------------------------
1 | APP_ABI := armeabi-v7a
2 | APP_STL := gnustl_static
3 | APP_CPPFLAGS += -fexceptions


--------------------------------------------------------------------------------
/jni/InlineHook/.DS_Store:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GToad/Android_Inline_Hook_Thumb_Example/84af85b113536d431b25110567f5784d750edd3b/jni/InlineHook/.DS_Store


--------------------------------------------------------------------------------
/jni/InlineHook/Android.mk:
--------------------------------------------------------------------------------
 1 | LOCAL_PATH := $(call my-dir)  
 2 | 
 3 | 
 4 | include $(CLEAR_VARS)
 5 | 
 6 | LOCAL_CXXFLAGS +=  -g -O0
 7 | LOCAL_ARM_MODE := arm
 8 | LOCAL_MODULE    := IHook
 9 | LOCAL_SRC_FILES := IHook.c ihookstub.s ihookstubthumb.s fixPCOpcode.c
10 | LOCAL_LDLIBS += -L$(SYSROOT)/usr/lib -llog
11 | 
12 | include $(BUILD_STATIC_LIBRARY)
13 | 


--------------------------------------------------------------------------------
/jni/InlineHook/Ihook.c:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GToad/Android_Inline_Hook_Thumb_Example/84af85b113536d431b25110567f5784d750edd3b/jni/InlineHook/Ihook.c


--------------------------------------------------------------------------------
/jni/InlineHook/Ihook.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GToad/Android_Inline_Hook_Thumb_Example/84af85b113536d431b25110567f5784d750edd3b/jni/InlineHook/Ihook.h


--------------------------------------------------------------------------------
/jni/InlineHook/fixPCOpcode.c:
--------------------------------------------------------------------------------
   1 | #include "fixPCOpcode.h"
   2 | 
   3 | //这里的代码建议看文章：《Android Inline Hook中的指令修复详解》（https://gtoad.github.io/2018/07/13/Android-Inline-Hook-Fix/）
   4 | 
   5 | enum INSTRUCTION_TYPE {
   6 | 	// B <label>
   7 | 	B1_THUMB16,
   8 |     // B <label>
   9 |     B1_BEQ_THUMB16,
  10 |     // B <label>
  11 |     B1_BNE_THUMB16,
  12 |     // B <label>
  13 |     B1_BCS_THUMB16,
  14 |     // B <label>
  15 |     B1_BCC_THUMB16,
  16 |     // B <label>
  17 |     B1_BMI_THUMB16,
  18 |     // B <label>
  19 |     B1_BPL_THUMB16,
  20 |     // B <label>
  21 |     B1_BVS_THUMB16,
  22 |     // B <label>
  23 |     B1_BVC_THUMB16,
  24 |     // B <label>
  25 |     B1_BHI_THUMB16,
  26 |     // B <label>
  27 |     B1_BLS_THUMB16,
  28 |     // B <label>
  29 |     B1_BGE_THUMB16,
  30 |     // B <label>
  31 |     B1_BLT_THUMB16,
  32 |     // B <label>
  33 |     B1_BGT_THUMB16,
  34 |     // B <label>
  35 |     B1_BLE_THUMB16,
  36 | 	// B <label>
  37 | 	B2_THUMB16,
  38 | 	// BX PC
  39 | 	BX_THUMB16,
  40 | 	// ADD <Rdn>, PC (Rd != PC, Rn != PC) 在对ADD进行修正时，采用了替换PC为Rr的方法，当Rd也为PC时，由于之前更改了Rr的值，可能会影响跳转后的正常功能。
  41 | 	ADD_THUMB16,
  42 | 	// MOV Rd, PC
  43 | 	MOV_THUMB16,
  44 | 	// ADR Rd, <label>
  45 | 	ADR_THUMB16,
  46 | 	// LDR Rt, <label>
  47 | 	LDR_THUMB16,
  48 | 
  49 | 	// CB{N}Z <Rn>, <label>
  50 | 	CB_THUMB16,
  51 | 
  52 | 
  53 | 	// BLX <label>
  54 | 	BLX_THUMB32,
  55 | 	// BL <label>
  56 | 	BL_THUMB32,
  57 | 	// B.W <label>
  58 | 	B1_THUMB32,
  59 |     // B.W <label>
  60 |     B1_BEQ_THUMB32,
  61 |     // B.W <label>
  62 |     B1_BNE_THUMB32,
  63 |     // B.W <label>
  64 |     B1_BCS_THUMB32,
  65 |     // B.W <label>
  66 |     B1_BCC_THUMB32,
  67 |     // B.W <label>
  68 |     B1_BMI_THUMB32,
  69 |     // B.W <label>
  70 |     B1_BPL_THUMB32,
  71 |     // B.W <label>
  72 |     B1_BVS_THUMB32,
  73 |     // B.W <label>
  74 |     B1_BVC_THUMB32,
  75 |     // B.W <label>
  76 |     B1_BHI_THUMB32,
  77 |     // B.W <label>
  78 |     B1_BLS_THUMB32,
  79 |     // B.W <label>
  80 |     B1_BGE_THUMB32,
  81 |     // B.W <label>
  82 |     B1_BLT_THUMB32,
  83 |     // B.W <label>
  84 |     B1_BGT_THUMB32,
  85 |     // B.W <label>
  86 |     B1_BLE_THUMB32,
  87 | 	// B.W <label>
  88 | 	B2_THUMB32,
  89 | 	// ADR.W Rd, <label>
  90 | 	ADR1_THUMB32,
  91 | 	// ADR.W Rd, <label>
  92 | 	ADR2_THUMB32,
  93 | 	// LDR.W Rt, <label>
  94 | 	LDR_THUMB32,
  95 | 	// TBB [PC, Rm]
  96 | 	TBB_THUMB32,
  97 | 	// TBH [PC, Rm, LSL #1]
  98 | 	TBH_THUMB32,
  99 | 
 100 | 	// BLX <label>
 101 | 	BLX_ARM,
 102 | 	// BL <label>
 103 | 	BL_ARM,
 104 | 	// B <label>
 105 | 	B_ARM,
 106 | 
 107 |     // <Add by GToad>
 108 |     // B <label>
 109 | 	BEQ_ARM,
 110 |     // B <label>
 111 | 	BNE_ARM,
 112 |     // B <label>
 113 | 	BCS_ARM,
 114 |     // B <label>
 115 | 	BCC_ARM,
 116 |     // B <label>
 117 | 	BMI_ARM,
 118 |     // B <label>
 119 | 	BPL_ARM,
 120 |     // B <label>
 121 | 	BVS_ARM,
 122 |     // B <label>
 123 | 	BVC_ARM,
 124 |     // B <label>
 125 | 	BHI_ARM,
 126 |     // B <label>
 127 | 	BLS_ARM,
 128 |     // B <label>
 129 | 	BGE_ARM,
 130 |     // B <label>
 131 | 	BLT_ARM,
 132 |     // B <label>
 133 | 	BGT_ARM,
 134 |     // B <label>
 135 | 	BLE_ARM,
 136 |     // </Add by GToad>
 137 | 
 138 | 	// BX PC
 139 | 	BX_ARM,
 140 | 	// ADD Rd, PC, Rm (Rd != PC, Rm != PC) 在对ADD进行修正时，采用了替换PC为Rr的方法，当Rd也为PC时，由于之前更改了Rr的值，可能会影响跳转后的正常功能;实际汇编中没有发现Rm也为PC的情况，故未做处理。
 141 | 	ADD_ARM,
 142 | 	// ADR Rd, <label>
 143 | 	ADR1_ARM,
 144 | 	// ADR Rd, <label>
 145 | 	ADR2_ARM,
 146 | 	// MOV Rd, PC
 147 | 	MOV_ARM,
 148 | 	// LDR Rt, <label>
 149 | 	LDR_ARM,
 150 | 
 151 | 	UNDEFINE,
 152 | };
 153 | 
 154 | int lengthFixThumb32(uint32_t opcode)
 155 | {
 156 |     int type;
 157 |     type = getTypeInThumb32(opcode);
 158 |     switch(type)
 159 |     {
 160 |         case BLX_THUMB32:
 161 |         case BL_THUMB32:
 162 |         case B1_THUMB32:return 12;break;
 163 |         case B2_THUMB32:return 8;break;
 164 |         case ADR1_THUMB32:
 165 |         case ADR2_THUMB32:return 8;break;
 166 |         case LDR_THUMB32:
 167 |         case TBB_THUMB32:
 168 |         case TBH_THUMB32:return 28;break;
 169 |         case B1_BEQ_THUMB32:
 170 |         case B1_BNE_THUMB32:
 171 |         case B1_BCS_THUMB32:
 172 |         case B1_BCC_THUMB32:
 173 |         case B1_BMI_THUMB32:
 174 |         case B1_BPL_THUMB32:
 175 |         case B1_BVS_THUMB32:
 176 |         case B1_BVC_THUMB32:
 177 |         case B1_BHI_THUMB32:
 178 |         case B1_BLS_THUMB32:
 179 |         case B1_BGE_THUMB32:
 180 |         case B1_BLT_THUMB32:
 181 |         case B1_BGT_THUMB32:
 182 |         case B1_BLE_THUMB32:return 12;break;
 183 |         case UNDEFINE:return 4;break;
 184 |     }    
 185 | }
 186 | 
 187 | int lengthFixArm32(uint32_t opcode)
 188 | {
 189 |     int type;
 190 |     type = getTypeInArm32(opcode);
 191 |     switch(type)
 192 |     {
 193 |         case BEQ_ARM:
 194 |         case BNE_ARM:
 195 |         case BCS_ARM:
 196 |         case BCC_ARM:
 197 |         case BMI_ARM:
 198 |         case BPL_ARM:
 199 |         case BVS_ARM:
 200 |         case BVC_ARM:
 201 |         case BHI_ARM:
 202 |         case BLS_ARM:
 203 |         case BGE_ARM:
 204 |         case BLT_ARM:
 205 |         case BGT_ARM:
 206 |         case BLE_ARM:return 12;break;
 207 |         case BLX_ARM:
 208 |         case BL_ARM:return 12;break;
 209 |         case B_ARM:
 210 |         case BX_ARM:return 8;break;
 211 |         case ADD_ARM:return 24;break;
 212 |         case ADR1_ARM:
 213 |         case ADR2_ARM:
 214 |         case LDR_ARM:
 215 |         case MOV_ARM:return 12;break;
 216 |         case UNDEFINE:return 4;
 217 |     }    
 218 | }
 219 | 
 220 | int lengthFixThumb16(uint16_t opcode)
 221 | {
 222 |     int type;
 223 |     type = getTypeInThumb16(opcode);
 224 |     switch(type)
 225 |     {
 226 |         case B1_BEQ_THUMB16:
 227 |         case B1_BNE_THUMB16:
 228 |         case B1_BCS_THUMB16:
 229 |         case B1_BCC_THUMB16:
 230 |         case B1_BMI_THUMB16:
 231 |         case B1_BPL_THUMB16:
 232 |         case B1_BVS_THUMB16:
 233 |         case B1_BVC_THUMB16:
 234 |         case B1_BHI_THUMB16:
 235 |         case B1_BLS_THUMB16:
 236 |         case B1_BGE_THUMB16:
 237 |         case B1_BLT_THUMB16:
 238 |         case B1_BGT_THUMB16:
 239 |         case B1_BLE_THUMB16:return 12;break;
 240 |         case B1_THUMB16:return 12;break;
 241 |         case B2_THUMB16:
 242 |         case BX_THUMB16:return 8;break;
 243 |         case ADD_THUMB16:return 14;break;
 244 |         case MOV_THUMB16:
 245 |         case ADR_THUMB16:
 246 |         case LDR_THUMB16:return 8;break;
 247 |         case CB_THUMB16:return 12;break;
 248 |         case UNDEFINE:return 4;break;
 249 |     }    
 250 | }
 251 | 
 252 | static int getTypeInArm32(uint32_t instruction)
 253 | {
 254 |     LOGI("getTypeInArm : %x", instruction);
 255 | 	if ((instruction & 0xFE000000) == 0xFA000000) {
 256 | 		return BLX_ARM;
 257 | 	}
 258 | 	if ((instruction & 0xF000000) == 0xB000000) {
 259 | 		return BL_ARM;
 260 | 	}
 261 | 	if ((instruction & 0xFE000000) == 0x0A000000) {
 262 | 		return BEQ_ARM;
 263 | 	}
 264 |     if ((instruction & 0xFE000000) == 0x1A000000) {
 265 | 		return BNE_ARM;
 266 | 	}
 267 |     if ((instruction & 0xFE000000) == 0x2A000000) {
 268 | 		return BCS_ARM;
 269 | 	}
 270 |     if ((instruction & 0xFE000000) == 0x3A000000) {
 271 | 		return BCC_ARM;
 272 | 	}
 273 |     if ((instruction & 0xFE000000) == 0x4A000000) {
 274 | 		return BMI_ARM;
 275 | 	}
 276 |     if ((instruction & 0xFE000000) == 0x5A000000) {
 277 | 		return BPL_ARM;
 278 | 	}
 279 |     if ((instruction & 0xFE000000) == 0x6A000000) {
 280 | 		return BVS_ARM;
 281 | 	}
 282 |     if ((instruction & 0xFE000000) == 0x7A000000) {
 283 | 		return BVC_ARM;
 284 | 	}
 285 |     if ((instruction & 0xFE000000) == 0x8A000000) {
 286 | 		return BHI_ARM;
 287 | 	}
 288 |     if ((instruction & 0xFE000000) == 0x9A000000) {
 289 | 		return BLS_ARM;
 290 | 	}
 291 |     if ((instruction & 0xFE000000) == 0xAA000000) {
 292 | 		return BGE_ARM;
 293 | 	}
 294 |     if ((instruction & 0xFE000000) == 0xBA000000) {
 295 | 		return BLT_ARM;
 296 | 	}
 297 |     if ((instruction & 0xFE000000) == 0xCA000000) {
 298 | 		return BGT_ARM;
 299 | 	}
 300 |     if ((instruction & 0xFE000000) == 0xDA000000) {
 301 | 		return BLE_ARM;
 302 | 	}
 303 |     if ((instruction & 0xFE000000) == 0xEA000000) {
 304 | 		return B_ARM;
 305 | 	}
 306 |     
 307 |     /*
 308 |     if ((instruction & 0xFF000000) == 0xFA000000) {
 309 | 		return BLX_ARM;
 310 | 	} *//*
 311 |     if ((instruction & 0xF000000) == 0xA000000) {
 312 | 		return B_ARM;
 313 | 	}*/
 314 |     
 315 | 	if ((instruction & 0xFF000FF) == 0x120001F) {
 316 | 		return BX_ARM;
 317 | 	}
 318 | 	if ((instruction & 0xFEF0010) == 0x8F0000) {
 319 | 		return ADD_ARM;
 320 | 	}
 321 | 	if ((instruction & 0xFFF0000) == 0x28F0000) {
 322 | 		return ADR1_ARM;
 323 | 	}
 324 | 	if ((instruction & 0xFFF0000) == 0x24F0000) {
 325 | 		return ADR2_ARM;		
 326 | 	}
 327 | 	if ((instruction & 0xE5F0000) == 0x41F0000) {
 328 | 		return LDR_ARM;
 329 | 	}
 330 | 	if ((instruction & 0xFE00FFF) == 0x1A0000F) {
 331 | 		return MOV_ARM;
 332 | 	}
 333 | 	return UNDEFINE;
 334 | }
 335 | 
 336 | static int getTypeInThumb16(uint16_t instruction)
 337 | {
 338 |     LOGI("getTypeInThumb16 : %x", instruction);
 339 |     if ((instruction & 0xFF00) == 0xD000) {
 340 | 		return B1_BEQ_THUMB16;
 341 | 	}
 342 |     if ((instruction & 0xFF00) == 0xD100) {
 343 | 		return B1_BNE_THUMB16;
 344 | 	}
 345 |     if ((instruction & 0xFF00) == 0xD200) {
 346 | 		return B1_BCS_THUMB16;
 347 | 	}
 348 |     if ((instruction & 0xFF00) == 0xD300) {
 349 | 		return B1_BCC_THUMB16;
 350 | 	}
 351 |     if ((instruction & 0xFF00) == 0xD400) {
 352 | 		return B1_BMI_THUMB16;
 353 | 	}
 354 |     if ((instruction & 0xFF00) == 0xD500) {
 355 | 		return B1_BPL_THUMB16;
 356 | 	}
 357 |     if ((instruction & 0xFF00) == 0xD600) {
 358 | 		return B1_BVS_THUMB16;
 359 | 	}
 360 |     if ((instruction & 0xFF00) == 0xD700) {
 361 | 		return B1_BVC_THUMB16;
 362 | 	}
 363 |     if ((instruction & 0xFF00) == 0xD800) {
 364 | 		return B1_BHI_THUMB16;
 365 | 	}
 366 |     if ((instruction & 0xFF00) == 0xD900) {
 367 | 		return B1_BLS_THUMB16;
 368 | 	}
 369 |     if ((instruction & 0xFF00) == 0xDA00) {
 370 | 		return B1_BGE_THUMB16;
 371 | 	}
 372 |     if ((instruction & 0xFF00) == 0xDB00) {
 373 | 		return B1_BLT_THUMB16;
 374 | 	}
 375 |     if ((instruction & 0xFF00) == 0xDC00) {
 376 | 		return B1_BGT_THUMB16;
 377 | 	}
 378 |     if ((instruction & 0xFF00) == 0xDD00) {
 379 | 		return B1_BLE_THUMB16;
 380 | 	}
 381 | 	if ((instruction & 0xF000) == 0xD000) {
 382 | 		return B1_THUMB16;
 383 | 	}
 384 | 	if ((instruction & 0xF800) == 0xE000) {
 385 | 		return B2_THUMB16;
 386 | 	}
 387 | 	if ((instruction & 0xFFF8) == 0x4778) {
 388 | 		return BX_THUMB16;
 389 | 	}
 390 | 	if ((instruction & 0xFF78) == 0x4478) {
 391 | 		return ADD_THUMB16;
 392 | 	}
 393 | 	if ((instruction & 0xFF78) == 0x4678) {
 394 | 		return MOV_THUMB16;
 395 | 	}
 396 | 	if ((instruction & 0xF800) == 0xA000) {
 397 | 		return ADR_THUMB16;
 398 | 	}
 399 | 	if ((instruction & 0xF800) == 0x4800) {
 400 | 		return LDR_THUMB16;
 401 | 	}
 402 | 	if ((instruction & 0xF500) == 0xB100) {
 403 | 		return CB_THUMB16;
 404 | 	}
 405 | 	return UNDEFINE;
 406 | }
 407 | 
 408 | static int getTypeInThumb32(uint32_t instruction)
 409 | {
 410 |     LOGI("getTypeInThumb32 : %x", instruction);
 411 | 	if ((instruction & 0xF800D000) == 0xF000C000) {
 412 | 		return BLX_THUMB32;
 413 | 	}
 414 | 	if ((instruction & 0xF800D000) == 0xF000D000) {
 415 | 		return BL_THUMB32;
 416 | 	}
 417 |     if ((instruction & 0xFBA0D000) == 0xF0008000) {
 418 | 		return B1_BEQ_THUMB32;
 419 | 	}
 420 |     if ((instruction & 0xFBA0D000) == 0xF0408000) {
 421 | 		return B1_BNE_THUMB32;
 422 | 	}
 423 |     if ((instruction & 0xFBA0D000) == 0xF0808000) {
 424 | 		return B1_BCS_THUMB32;
 425 | 	}
 426 |     if ((instruction & 0xFBA0D000) == 0xF0C08000) {
 427 | 		return B1_BCC_THUMB32;
 428 | 	}
 429 |     if ((instruction & 0xFBA0D000) == 0xF1008000) {
 430 | 		return B1_BMI_THUMB32;
 431 | 	}
 432 |     if ((instruction & 0xFBA0D000) == 0xF1408000) {
 433 | 		return B1_BPL_THUMB32;
 434 | 	}
 435 |     if ((instruction & 0xFBA0D000) == 0xF1808000) {
 436 | 		return B1_BVS_THUMB32;
 437 | 	}
 438 |     if ((instruction & 0xFBA0D000) == 0xF1C08000) {
 439 | 		return B1_BVC_THUMB32;
 440 | 	}
 441 |     if ((instruction & 0xFBA0D000) == 0xF2008000) {
 442 | 		return B1_BHI_THUMB32;
 443 | 	}
 444 |     if ((instruction & 0xFBA0D000) == 0xF2408000) {
 445 | 		return B1_BLS_THUMB32;
 446 | 	}
 447 |     if ((instruction & 0xFBA0D000) == 0xF2808000) {
 448 | 		return B1_BGE_THUMB32;
 449 | 	}
 450 |     if ((instruction & 0xFBA0D000) == 0xF2C08000) {
 451 | 		return B1_BLT_THUMB32;
 452 | 	}
 453 |     if ((instruction & 0xFBA0D000) == 0xF3008000) {
 454 | 		return B1_BGT_THUMB32;
 455 | 	}
 456 |     if ((instruction & 0xFBA0D000) == 0xF3408000) {
 457 | 		return B1_BLE_THUMB32;
 458 | 	}
 459 | 	if ((instruction & 0xF800D000) == 0xF0008000) {
 460 | 		return B1_THUMB32;
 461 | 	}
 462 | 	if ((instruction & 0xF800D000) == 0xF0009000) {
 463 | 		return B2_THUMB32;
 464 | 	}
 465 | 	if ((instruction & 0xFBFF8000) == 0xF2AF0000) {
 466 | 		return ADR1_THUMB32;
 467 | 	}
 468 | 	if ((instruction & 0xFBFF8000) == 0xF20F0000) {
 469 | 		return ADR2_THUMB32;		
 470 | 	}
 471 | 	if ((instruction & 0xFF7F0000) == 0xF85F0000) {
 472 | 		return LDR_THUMB32;
 473 | 	}
 474 | 	if ((instruction & 0xFFFF00F0) == 0xE8DF0000) {
 475 | 		return TBB_THUMB32;
 476 | 	}
 477 | 	if ((instruction & 0xFFFF00F0) == 0xE8DF0010) {
 478 | 		return TBH_THUMB32;
 479 | 	}
 480 | 	return UNDEFINE;
 481 | }
 482 | 
 483 | bool isThumb32(uint16_t opcode)
 484 | {
 485 |     LOGI("isThumb32 : opcode is %x",opcode);
 486 |     int tmp = opcode >> 11; 
 487 |     LOGI("tmp is %d",tmp);
 488 |     if ((tmp == 0b11101) || (tmp == 0b11110) || (tmp == 0b11111)){ //TODO: this "if" struct is just for debug.
 489 |     // Use "return ((tmp == 0b11101) || (tmp == 0b11110) || (tmp == 0b11111));" when released.
 490 |         LOGI("thumb32 !"); 
 491 |         return true;
 492 |     }
 493 |     return false;
 494 | }
 495 | 
 496 | bool isTargetAddrInBackup(uint32_t target_addr, uint32_t hook_addr, int backup_length)
 497 | {
 498 |     if((target_addr<=hook_addr+backup_length)&&(target_addr>=hook_addr))
 499 |         return true;
 500 |     return false;
 501 | }
 502 | 
 503 | int fixPCOpcodeArm(void *fixOpcodes , INLINE_HOOK_INFO* pstInlineHook)
 504 | {
 505 |     uint32_t pc;
 506 |     uint32_t lr;
 507 |     int backUpPos = 0;
 508 |     int fixPos = 0;
 509 |     int offset = 0;
 510 |     //int isConditionBcode = 0;
 511 |     uint32_t *currentOpcode;
 512 |     uint32_t tmpFixOpcodes[40]; //对于每条PC命令的修复指令都将暂时保存在这里。
 513 |     //uint32_t tmpBcodeFix;
 514 |     //uint32_t tmpBcodeX = 0;
 515 | 
 516 |     LOGI("Fixing Arm !!!!!!!");
 517 | 
 518 |     currentOpcode = pstInlineHook->szbyBackupOpcodes + sizeof(uint8_t)*backUpPos;
 519 |     LOGI("sizeof(uint8_t) : %D", sizeof(uint8_t));
 520 | 
 521 |     pc = pstInlineHook->pHookAddr + 8; //pc变量用于保存原本指令执行时的pc值
 522 |     lr = pstInlineHook->pHookAddr + pstInlineHook->backUpLength;
 523 | 
 524 |     if(pstInlineHook == NULL)
 525 |     {
 526 |         LOGI("pstInlineHook is null");
 527 |     }
 528 | 
 529 |     while(1) // 在这个循环中，每次都处理一个thumb命令
 530 |     {
 531 |         LOGI("-------------START----------------");
 532 |         LOGI("currentOpcode is %x",*currentOpcode);
 533 |         
 534 |         offset = fixPCOpcodeArm32(pc, lr, *currentOpcode, tmpFixOpcodes, pstInlineHook);
 535 |         //LOGI("isConditionBcode : %d", isConditionBcode);
 536 |         LOGI("offset : %d", offset);
 537 |         memcpy(fixOpcodes+fixPos, tmpFixOpcodes, offset);
 538 |         /*
 539 |         if (isConditionBcode==1) { // the first code is B??
 540 |             if (backUpPos == 4) { // the second has just been processed
 541 |                 LOGI("Fix the first b_code.");
 542 |                 LOGI("offset : %d",offset);
 543 |                 tmpBcodeFix += (offset/4 +1);
 544 |                 memcpy(fixOpcodes, &tmpBcodeFix, 4);
 545 |                 LOGI("Fix the first b_code 1.");
 546 | 
 547 |                 tmpBcodeFix = 0xE51FF004;
 548 |                 LOGI("Fix the first b_code 1.5");
 549 |                 memcpy(fixOpcodes+fixPos+offset, &tmpBcodeFix, 4);
 550 |                 LOGI("Fix the first b_code 2.");
 551 | 
 552 |                 tmpBcodeFix = pstInlineHook->pHookAddr + 8;
 553 |                 memcpy(fixOpcodes+fixPos+offset+4, &tmpBcodeFix, 4);
 554 |                 LOGI("Fix the first b_code 3.");
 555 | 
 556 |                 tmpBcodeFix = 0xE51FF004;
 557 |                 memcpy(fixOpcodes+fixPos+offset+8, &tmpBcodeFix, 4);
 558 |                 LOGI("Fix the first b_code 4.");
 559 | 
 560 |                 tmpBcodeFix = tmpBcodeX;
 561 |                 memcpy(fixOpcodes+fixPos+offset+12, &tmpBcodeFix, 4);
 562 |                 LOGI("Fix the first b_code 5.");
 563 | 
 564 |                 offset += 4*4;
 565 |             }
 566 |             else if (backUpPos == 0) { //save the first B code
 567 |                 tmpBcodeFix = (*currentOpcode & 0xFE000000);
 568 |                 tmpBcodeX = (*currentOpcode & 0xFFFFFF) << 2; // x*4
 569 |                 LOGI("tmpBcodeX : %x", tmpBcodeX);
 570 |                 tmpBcodeX = tmpBcodeX + 8 + pstInlineHook->pHookAddr;
 571 |             }
 572 |         }*/
 573 |         
 574 |         backUpPos += 4; //arm32的话下一次取后面4 byte偏移的指令
 575 |         pc += sizeof(uint32_t);
 576 | 
 577 |         fixPos += offset;
 578 |         LOGI("fixPos : %d", fixPos);
 579 |         LOGI("--------------END-----------------");
 580 | 
 581 |         if (backUpPos < pstInlineHook->backUpLength)
 582 |         {
 583 |             currentOpcode = pstInlineHook->szbyBackupOpcodes + sizeof(uint8_t)*backUpPos;
 584 |         }
 585 |         else{
 586 |             LOGI("pstInlineHook->backUpLength : %d", pstInlineHook->backUpLength);
 587 |             LOGI("backUpPos : %d",backUpPos);
 588 |             LOGI("fixPos : %d", fixPos);
 589 |             LOGI("Fix finish !");
 590 |             return fixPos;
 591 |         }
 592 |     }
 593 | 
 594 |     LOGI("Something wrong in arm fixing...");
 595 | 
 596 |     return 0;
 597 | }
 598 | 
 599 | int fixPCOpcodeThumb(void *fixOpcodes , INLINE_HOOK_INFO* pstInlineHook)
 600 | {
 601 |     uint32_t pc;
 602 |     uint32_t lr;
 603 |     int backUpPos = 0;
 604 |     int fixPos = 0;
 605 |     int offset = 0;
 606 |     uint16_t *currentOpcode;
 607 |     BYTE tmpFixOpcodes[40]; //对于每条PC命令的修复指令都将暂时保存在这里。
 608 | 
 609 |     LOGI("Fixing Thumb !!!!!!!");
 610 | 
 611 |     currentOpcode = pstInlineHook->szbyBackupOpcodes + sizeof(uint8_t)*backUpPos;
 612 |     LOGI("sizeof(uint8_t) : %D", sizeof(uint8_t));
 613 | 
 614 |     pc = pstInlineHook->pHookAddr - 1 + 4; //pc变量用于保存原本指令执行时的pc值
 615 | 
 616 |     if(pstInlineHook == NULL)
 617 |     {
 618 |         LOGI("pstInlineHook is null");
 619 |     }
 620 |     
 621 |     while(1) // 在这个循环中，每次都处理一个thumb命令
 622 |     {
 623 |         LOGI("-------------START----------------");
 624 |         LOGI("currentOpcode is %x",*currentOpcode);
 625 |         if(isThumb32(*currentOpcode)) //先判断它是thumb32还是thumb16
 626 |         {
 627 |             uint16_t *currentThumb32high = currentOpcode;
 628 |             uint16_t *currentThumb32low = currentOpcode+1; //坑：+2就错了，只能+1才是向后2 byte偏移
 629 |             LOGI("high_instruction addr : %x",currentThumb32high);
 630 |             LOGI("low_instruction addr : %x",currentThumb32low);
 631 | 
 632 |             offset = fixPCOpcodeThumb32(pc, *currentThumb32high, *currentThumb32low, tmpFixOpcodes, pstInlineHook);
 633 |             LOGI("offset : %d",offset);
 634 |             memcpy(fixOpcodes+fixPos, tmpFixOpcodes, offset);
 635 |             backUpPos += 4; //thumb32的话下一次取后面4btye偏移的指令
 636 |             pc += sizeof(uint32_t);
 637 |             LOGI("Current opcode is thumb32 !");
 638 |         }
 639 |         else{
 640 |             offset = fixPCOpcodeThumb16(pc, *currentOpcode, tmpFixOpcodes, pstInlineHook);
 641 |             LOGI("offset : %d",offset);
 642 |             memcpy(fixOpcodes+fixPos, tmpFixOpcodes, offset);
 643 |             backUpPos += 2; //thumb16的话下一次取后面2btye偏移的指令
 644 |             pc += sizeof(uint16_t);
 645 |         }
 646 | 
 647 |         fixPos += offset;
 648 |         LOGI("fixPos : %d", fixPos);
 649 |         LOGI("--------------END-----------------");
 650 | 
 651 |         if (backUpPos < pstInlineHook->backUpLength)
 652 |         {
 653 |             currentOpcode = pstInlineHook->szbyBackupOpcodes + sizeof(uint8_t)*backUpPos;
 654 |             LOGI("backUpPos : %d", backUpPos);
 655 |         }
 656 |         else{
 657 |             LOGI("pstInlineHook->backUpLength : %d", pstInlineHook->backUpLength);
 658 |             LOGI("backUpPos : %d",backUpPos);
 659 |             LOGI("fixPos : %d", fixPos);
 660 |             LOGI("Fix finish !");
 661 |             return fixPos;
 662 |         }
 663 |     }
 664 | 
 665 |     lr = pstInlineHook->pHookAddr + backUpPos;
 666 | 
 667 |     LOGI("Something wrong in thumb fixing...");
 668 | 
 669 |     return 0;
 670 | }
 671 | 
 672 | int fixPCOpcodeThumb16(uint32_t pc, uint16_t instruction, uint16_t *trampoline_instructions, INLINE_HOOK_INFO* pstInlineHook)
 673 | {
 674 | 	int type;
 675 | 	int offset;
 676 |     uint32_t new_entry_addr = (uint32_t)pstInlineHook->pNewEntryForOldFunction;
 677 | 	
 678 | 	type = getTypeInThumb16(instruction);
 679 | 
 680 |     if (type == B1_BEQ_THUMB16 || type == B1_BNE_THUMB16 || type == B1_BCS_THUMB16 || type == B1_BCC_THUMB16 || type == B1_BMI_THUMB16
 681 |      || type == B1_BPL_THUMB16 || type == B1_BVS_THUMB16 || type == B1_BVC_THUMB16 || type == B1_BHI_THUMB16 || type == B1_BLS_THUMB16
 682 |      || type == B1_BGE_THUMB16 || type == B1_BLT_THUMB16 || type == B1_BGT_THUMB16 || type == B1_BLE_THUMB16) {
 683 |         LOGI("B1_CONDITION_THUMB16");
 684 |         uint32_t x;
 685 | 		int top_bit;
 686 | 		uint32_t imm32;
 687 | 		uint32_t value;
 688 | 
 689 |         trampoline_instructions[0] = (uint16_t)(((instruction & 0xFF00)+4)^0x100);
 690 |         trampoline_instructions[1] = 0xBF00; //nop
 691 | 
 692 |         trampoline_instructions[2] = 0xF8DF;
 693 | 		trampoline_instructions[3] = 0xF000;	// LDR.W PC, [PC]
 694 | 
 695 |         x = (instruction & 0xFF) << 1;
 696 | 		top_bit = x >> 8;
 697 | 		imm32 = top_bit ? (x | (0xFFFFFFFF << 8)) : x;
 698 | 		value = pc + imm32 + 1; // THUMB MODE FOR LDR
 699 | 
 700 |         if(isTargetAddrInBackup(value-1,(uint32_t)pstInlineHook->pHookAddr,pstInlineHook->backUpLength)){
 701 |             //backup to backup !
 702 |             LOGI("BtoB in thumb16");
 703 |             int offset_in_backup = 0;
 704 |             int cnt = (value - 1 - ((uint32_t)pstInlineHook->pHookAddr - 1))/2;
 705 |             for(int i=0;i<cnt;i++){
 706 |                 offset_in_backup += pstInlineHook->backUpFixLengthList[i];
 707 |             }
 708 |             value = new_entry_addr + offset_in_backup + 1;
 709 |         }
 710 | 		trampoline_instructions[4] = (value & 0xFFFF);
 711 | 		trampoline_instructions[5] = value >> 16;
 712 | 
 713 |         offset = 6;
 714 | 	}
 715 | 	else if (type == B1_THUMB16 || type == B2_THUMB16 || type == BX_THUMB16) {
 716 |         LOGI("B1_THUMB16 B2_THUMB16 BX_THUMB16");
 717 | 		uint32_t x;
 718 | 		int top_bit;
 719 | 		uint32_t imm32;
 720 | 		uint32_t value;
 721 | 		int idx;
 722 | 		
 723 | 		idx = 0;
 724 | 		if (type == B1_THUMB16) {
 725 |             LOGI("B1_THUMB16");
 726 | 			x = (instruction & 0xFF) << 1;
 727 | 			top_bit = x >> 8;
 728 | 			imm32 = top_bit ? (x | (0xFFFFFFFF << 8)) : x;
 729 | 			value = pc + imm32 + 1;
 730 | 			trampoline_instructions[idx++] = instruction & 0xFF00;
 731 | 			trampoline_instructions[idx++] = 0xE003;	// B PC, #6
 732 | 		}
 733 | 		else if (type == B2_THUMB16) {
 734 |             LOGI("B2_THUMB16");
 735 | 			x = (instruction & 0x7FF) << 1;
 736 | 			top_bit = x >> 11;
 737 | 			imm32 = top_bit ? (x | (0xFFFFFFFF << 11)) : x;
 738 | 			value = pc + imm32 + 1; //thumb mode for LDR.W
 739 | 		}
 740 | 		else if (type == BX_THUMB16) {
 741 |             LOGI("BX_THUMB16");
 742 | 			value = pc + 1;
 743 | 		}
 744 | 
 745 |         if(isTargetAddrInBackup(value-1,(uint32_t)pstInlineHook->pHookAddr,pstInlineHook->backUpLength)){
 746 |             //backup to backup !
 747 |             LOGI("BtoB in thumb16");
 748 |             int offset_in_backup = 0;
 749 |             int cnt = (value - 1 - ((uint32_t)pstInlineHook->pHookAddr - 1))/2;
 750 |             LOGI("CNT : %d",cnt);
 751 |             LOGI("VALUE : %x",value);
 752 |             LOGI("HOOK ADDR : %x",(uint32_t)pstInlineHook->pHookAddr)
 753 |             for(int i=0;i<cnt;i++){
 754 |                 offset_in_backup += pstInlineHook->backUpFixLengthList[i];
 755 |                 LOGI("offset : %d",offset_in_backup);
 756 |             }
 757 |             value = new_entry_addr + offset_in_backup + 1;
 758 |             LOGI("new_entry_addr : %x",new_entry_addr);
 759 |             LOGI("NEW VALUE : %x",value);
 760 |         }
 761 | 		
 762 | 		trampoline_instructions[idx++] = 0xF8DF;
 763 | 		trampoline_instructions[idx++] = 0xF000;	// LDR.W PC, [PC]
 764 | 		trampoline_instructions[idx++] = value & 0xFFFF;
 765 | 		trampoline_instructions[idx++] = value >> 16;
 766 | 		offset = idx;
 767 | 	}
 768 | 	else if (type == ADD_THUMB16) {
 769 |         LOGI("ADD_THUMB16");
 770 | 		int rdn;
 771 | 		int rm;
 772 | 		int r;
 773 | 		
 774 | 		rdn = ((instruction & 0x80) >> 4) | (instruction & 0x7);
 775 | 		
 776 | 		for (r = 7; ; --r) {
 777 | 			if (r != rdn) {
 778 | 				break;
 779 | 			}
 780 | 		}
 781 | 		
 782 | 		trampoline_instructions[0] = 0xB400 | (1 << r);	// PUSH {Rr}
 783 | 		trampoline_instructions[1] = 0x4802 | (r << 8);	// LDR Rr, [PC, #8]
 784 | 		trampoline_instructions[2] = (instruction & 0xFF87) | (r << 3); //我猜是adr Rd, Rr, ?
 785 | 		trampoline_instructions[3] = 0xBC00 | (1 << r);	// POP {Rr}
 786 | 		trampoline_instructions[4] = 0xE002;	// B PC, #4 ???????
 787 | 		trampoline_instructions[5] = 0xBF00;
 788 | 		trampoline_instructions[6] = pc & 0xFFFF;
 789 | 		trampoline_instructions[7] = pc >> 16;
 790 | 		offset = 8;
 791 | 	}
 792 | 	else if (type == MOV_THUMB16 || type == ADR_THUMB16 || type == LDR_THUMB16) {
 793 |         LOGI("MOV_THUMB16 ADR_THUMB16 LDR_THUMB16");
 794 | 		int r;
 795 | 		uint32_t value;
 796 | 		
 797 | 		if (type == MOV_THUMB16) {
 798 |             LOGI("MOV_THUMB16");
 799 | 			r = instruction & 0x7;
 800 | 			value = pc;
 801 | 		}
 802 | 		else if (type == ADR_THUMB16) {
 803 |             LOGI("ADR_THUMB16");
 804 | 			r = (instruction & 0x700) >> 8;
 805 | 			value = ALIGN_PC(pc) + (instruction & 0xFF) << 2;
 806 | 		}
 807 | 		else {
 808 |             LOGI("LDR_THUMB16");
 809 | 			r = (instruction & 0x700) >> 8; //得到寄存器
 810 | 			value = ((uint32_t *) (ALIGN_PC(pc) + ((instruction & 0xFF) << 2)))[0];
 811 | 		}
 812 | 
 813 | 		trampoline_instructions[0] = 0x4800 | (r << 8);	// LDR Rd, [PC]
 814 | 		trampoline_instructions[1] = 0xE001;	// B PC, #2
 815 | 		trampoline_instructions[2] = value & 0xFFFF;
 816 | 		trampoline_instructions[3] = value >> 16;
 817 | 		//offset = 4;
 818 |         offset = 4;
 819 | 	}
 820 | 	else if (type == CB_THUMB16) {
 821 |         LOGI("CB_THUMB16");
 822 | 		int nonzero;
 823 | 		uint32_t imm32;
 824 | 		uint32_t value;
 825 | 
 826 | 		nonzero = (instruction & 0x800) >> 11;
 827 | 		imm32 = ((instruction & 0x200) >> 3) | ((instruction & 0xF8) >> 2);
 828 | 		value = pc + imm32 + 1;
 829 | 
 830 | 		trampoline_instructions[0] = instruction & 0xFD07;
 831 | 		trampoline_instructions[1] = 0xE003;	// B PC, #6
 832 | 		trampoline_instructions[2] = 0xF8DF;
 833 | 		trampoline_instructions[3] = 0xF000;	// LDR.W PC, [PC]
 834 | 		trampoline_instructions[4] = value & 0xFFFF;
 835 | 		trampoline_instructions[5] = value >> 16;
 836 | 		offset = 6;
 837 | 	}
 838 | 	else {
 839 |         LOGI("OTHER_THUMB16");
 840 | 		trampoline_instructions[0] = instruction;
 841 | 		trampoline_instructions[1] = 0xBF00;  // NOP
 842 | 		offset = 2;
 843 | 	}
 844 | 	
 845 | 	return offset*2;
 846 | }
 847 | 
 848 | int fixPCOpcodeArm32(uint32_t pc, uint32_t lr, uint32_t instruction, uint32_t *trampoline_instructions, INLINE_HOOK_INFO* pstInlineHook)
 849 | {
 850 |     int type;
 851 | 	//int offset;
 852 |     int trampoline_pos;
 853 |     uint32_t new_entry_addr = (uint32_t)pstInlineHook->pNewEntryForOldFunction;
 854 |     LOGI("new_entry_addr : %x",new_entry_addr);
 855 | 
 856 |     trampoline_pos = 0;
 857 |     LOGI("THE ARM32 OPCODE IS %x",instruction);
 858 |     type = getTypeInArm32(instruction);
 859 |     //type = getTypeInArm(instruction); //判断该arm指令的种类
 860 |     if (type == BEQ_ARM || type == BNE_ARM || type == BCS_ARM || type == BCC_ARM || 
 861 |         type == BMI_ARM || type == BPL_ARM || type == BVS_ARM || type == BVC_ARM || 
 862 |         type == BHI_ARM || type == BLS_ARM || type == BGE_ARM || type == BLT_ARM || 
 863 |         type == BGT_ARM || type == BLE_ARM) {
 864 |         LOGI("BEQ_ARM BNE_ARM BCS_ARM BCC_ARM BMI_ARM BPL_ARM BVS_ARM BVC_ARM BHI_ARM BLS_ARM BGE_ARM BLT_ARM BGT_ARM BLE_ARM");
 865 | 		uint32_t x;
 866 | 		int top_bit;
 867 | 		uint32_t imm32;
 868 | 		uint32_t value;
 869 | //        uint32_t flag=0;
 870 |         //uint32_t ins_info;
 871 | 
 872 |         trampoline_instructions[trampoline_pos++] = (uint32_t)(((instruction & 0xFE000000)+1)^0x10000000);
 873 |         trampoline_instructions[trampoline_pos++] = 0xE51FF004; // LDR PC, [PC, #-4]
 874 | /*        flag = (uint32_t)(instruction & 0xFFFFFF);
 875 |         if (flag == 0xffffff) {
 876 |             LOGI("BACKUP TO BACKUP !");
 877 | 
 878 |         }*/
 879 | 
 880 |         x = (instruction & 0xFFFFFF) << 2; // 4*x
 881 |         top_bit = x >> 25;
 882 | 		imm32 = top_bit ? (x | (0xFFFFFFFF << 26)) : x;
 883 |         value = x + pc;
 884 |         if(isTargetAddrInBackup(value, (uint32_t)pstInlineHook->pHookAddr, pstInlineHook->backUpLength)){
 885 |             LOGI("B TO B in Arm32");
 886 |             int offset_in_backup;
 887 |             int cnt = (value - (uint32_t)pstInlineHook->pHookAddr)/4;
 888 |             if(cnt==0){
 889 |                 value = new_entry_addr;
 890 |             }else if(cnt==1){
 891 |                 value = new_entry_addr + pstInlineHook->backUpFixLengthList[0];
 892 |             }else{
 893 |                 LOGI("cnt !=1or0, something wrong !");
 894 |             }
 895 |             //value = new_entry_addr+12;
 896 |         }
 897 |         trampoline_instructions[trampoline_pos++] = value; // hook_addr + 12 + 4*x
 898 | 
 899 |         /*
 900 |         if (backUpPos == 0) { //the B_code is the first backup code
 901 |             *isConditionBcode = 1;
 902 |             //ins_info = (uint32_t)(instruction & 0xF0000000)>>28;
 903 |             LOGI("INS_INFO : %x", ins_info);
 904 | 
 905 |             trampoline_instructions[trampoline_pos++] = (uint32_t)(((instruction & 0xFE000000)+1)^0x10000000); //B??_ARM 16 -> 0X?A000002
 906 |             LOGI("B code on the first.");
 907 |             LOGI("%x",(uint32_t)(instruction & 0xFE000000));
 908 |         }
 909 |         else if (backUpPos == 4) { //THE B_code is the second backup code
 910 |             LOGI("B code on the second.");
 911 |             trampoline_instructions[trampoline_pos++] = (uint32_t)(instruction & 0xFE000000)+1; //B??_ARM 12 -> 0X?A000001
 912 |             LOGI("%x",(uint32_t)(instruction & 0xFE000000)+1);
 913 | 
 914 |             trampoline_instructions[trampoline_pos++] = 0xE51FF004; // LDR PC, [PC, #-4]
 915 |             value = pc-4;
 916 |             trampoline_instructions[trampoline_pos++] = value; // hook_addr + 8
 917 | 
 918 |             trampoline_instructions[trampoline_pos++] = 0xE51FF004; // LDR PC, [PC, #-4]
 919 |             x = (instruction & 0xFFFFFF) << 2; // 4*x
 920 |             value = x + pc;
 921 |             trampoline_instructions[trampoline_pos++] = value; // hook_addr + 12 + 4*x
 922 |         }*/
 923 | 
 924 |         return 4*trampoline_pos;
 925 |     }
 926 | 	if (type == BLX_ARM || type == BL_ARM || type == B_ARM || type == BX_ARM) {
 927 |         LOGI("BLX_ARM BL_ARM B_ARM BX_ARM");
 928 | 		uint32_t x;
 929 | 		int top_bit;
 930 | 		uint32_t imm32;
 931 | 		uint32_t value;
 932 | //        uint32_t flag = 0;
 933 | 
 934 | 		if (type == BLX_ARM || type == BL_ARM) {
 935 |             LOGI("BLX_ARM BL_ARM");
 936 | 			trampoline_instructions[trampoline_pos++] = 0xE28FE004;	// ADD LR, PC, #4
 937 | 		}
 938 | 		trampoline_instructions[trampoline_pos++] = 0xE51FF004;  	// LDR PC, [PC, #-4]
 939 | 		if (type == BLX_ARM) {
 940 |             LOGI("BLX_ARM");
 941 | 			x = ((instruction & 0xFFFFFF) << 2) | ((instruction & 0x1000000) >> 23); //BLX_ARM
 942 |             LOGI("BLX_ARM : X : %d",x);
 943 | 		}
 944 | 		else if (type == BL_ARM || type == B_ARM) {
 945 |             LOGI("BL_ARM B_ARM");
 946 | 			x = (instruction & 0xFFFFFF) << 2;                                       //BL_ARM B_ARM
 947 | /*            flag = (uint32_t)(instruction & 0xFFFFFF);
 948 |             if (flag == 0xffffff) {
 949 |                 LOGI("BACKUP TO BACKUP !");
 950 |             }*/
 951 | 		}
 952 | 		else {
 953 |             LOGI("BX_ARM");
 954 | 			x = 0;                                                                   //BX_ARM
 955 | 		}
 956 | 		
 957 | 		top_bit = x >> 25;
 958 | 		imm32 = top_bit ? (x | (0xFFFFFFFF << 26)) : x;
 959 |         LOGI("top_bit : %d",top_bit);
 960 |         LOGI("imm32 : %d",imm32);
 961 |         LOGI("PC : %d",pc);
 962 | 
 963 | 		if (type == BLX_ARM) {
 964 |             LOGI("BLX_ARM");
 965 | 			value = pc + imm32 + 1;
 966 |             LOGI("BLX_ARM : value : %d",imm32);
 967 | 		}
 968 | 		else {
 969 |             LOGI("BL_ARM B_ARM BX_ARM");
 970 | 			value = pc + imm32;
 971 |             LOGI("value : %d", value);
 972 |             if(isTargetAddrInBackup(value, (uint32_t)pstInlineHook->pHookAddr, pstInlineHook->backUpLength)){
 973 |                 LOGI("Backup to backup!");
 974 |                 value = new_entry_addr+4*(trampoline_pos+1);
 975 |             }
 976 | 		}
 977 | 		trampoline_instructions[trampoline_pos++] = value;
 978 | 		
 979 | 	}
 980 | 	else if (type == ADD_ARM) {
 981 |         LOGI("ADD_ARM");
 982 | 		int rd;
 983 | 		int rm;
 984 | 		int r;
 985 | 		
 986 | 		rd = (instruction & 0xF000) >> 12;
 987 | 		rm = instruction & 0xF;
 988 | 		
 989 | 		for (r = 12; ; --r) { //找一个既不是rm,也不是rd的寄存器
 990 | 			if (r != rd && r != rm) {
 991 | 				break;
 992 | 			}
 993 | 		}
 994 | 		
 995 | 		trampoline_instructions[trampoline_pos++] = 0xE52D0004 | (r << 12);	// PUSH {Rr}
 996 | 		trampoline_instructions[trampoline_pos++] = 0xE59F0008 | (r << 12);	// LDR Rr, [PC, #8]
 997 | 		trampoline_instructions[trampoline_pos++] = (instruction & 0xFFF0FFFF) | (r << 16);
 998 | 		trampoline_instructions[trampoline_pos++] = 0xE49D0004 | (r << 12);	// POP {Rr}
 999 | 		trampoline_instructions[trampoline_pos++] = 0xE28FF000;	// ADD PC, PC MFK!这明明是ADD PC, PC, #0好么！
1000 | 		trampoline_instructions[trampoline_pos++] = pc;
1001 | 	}
1002 | 	else if (type == ADR1_ARM || type == ADR2_ARM || type == LDR_ARM || type == MOV_ARM) {
1003 |         LOGI("ADR1_ARM ADR2_ARM LDR_ARM MOV_ARM");
1004 | 		int r;
1005 | 		uint32_t value;
1006 | 		
1007 | 		r = (instruction & 0xF000) >> 12;
1008 | 		
1009 | 		if (type == ADR1_ARM || type == ADR2_ARM || type == LDR_ARM) {
1010 |             LOGI("ADR1_ARM ADR2_ARM LDR_ARM");
1011 | 			uint32_t imm32;
1012 | 			
1013 | 			imm32 = instruction & 0xFFF;
1014 | 			if (type == ADR1_ARM) {
1015 |                 LOGI("ADR1_ARM");
1016 | 				value = pc + imm32;
1017 | 			}
1018 | 			else if (type == ADR2_ARM) {
1019 |                 LOGI("ADR2_ARM");
1020 | 				value = pc - imm32;
1021 | 			}
1022 | 			else if (type == LDR_ARM) {
1023 |                 LOGI("LDR_ARM");
1024 | 				int is_add;
1025 | 	
1026 | 				is_add = (instruction & 0x800000) >> 23;
1027 | 				if (is_add) {
1028 | 					value = ((uint32_t *) (pc + imm32))[0];
1029 | 				}
1030 | 				else {
1031 | 					value = ((uint32_t *) (pc - imm32))[0];
1032 | 				}
1033 | 			}
1034 | 		}
1035 | 		else {
1036 |             LOGI("MOV_ARM");
1037 | 			value = pc;
1038 | 		}
1039 | 			
1040 | 		trampoline_instructions[trampoline_pos++] = 0xE51F0000 | (r << 12);	// LDR Rr, [PC]
1041 | 		trampoline_instructions[trampoline_pos++] = 0xE28FF000;	// ADD PC, PC
1042 | 		trampoline_instructions[trampoline_pos++] = value;
1043 | 	}
1044 | 	else {
1045 |         LOGI("OTHER_ARM");
1046 | 		trampoline_instructions[trampoline_pos++] = instruction;
1047 |         return 4*trampoline_pos;
1048 | 	}
1049 | 	//pc += sizeof(uint32_t);
1050 | 	
1051 | 	//trampoline_instructions[trampoline_pos++] = 0xe51ff004;	// LDR PC, [PC, #-4]
1052 | 	//trampoline_instructions[trampoline_pos++] = lr;
1053 |     return 4*trampoline_pos;
1054 | }
1055 | 
1056 | int fixPCOpcodeThumb32(uint32_t pc, uint16_t high_instruction, uint16_t low_instruction, uint16_t *trampoline_instructions, INLINE_HOOK_INFO* pstInlineHook)
1057 | {
1058 | 	uint32_t instruction;
1059 | 	int type;
1060 | 	int idx;
1061 | 	int offset;
1062 |     uint32_t new_entry_addr = (uint32_t)pstInlineHook->pNewEntryForOldFunction;
1063 | 	LOGI("THE THUMB32 LOW OPCODE IS %x",low_instruction);
1064 | 	instruction = (high_instruction << 16) | low_instruction;
1065 |     LOGI("THE THUMB32 OPCODE IS %x",instruction);
1066 | 	type = getTypeInThumb32(instruction);
1067 | 	idx = 0;
1068 |     if (type == B1_BEQ_THUMB32 || type == B1_BNE_THUMB32 || type == B1_BCS_THUMB32 || type == B1_BCC_THUMB32 || type == B1_BMI_THUMB32
1069 |      || type == B1_BPL_THUMB32 || type == B1_BVS_THUMB32 || type == B1_BVC_THUMB32 || type == B1_BHI_THUMB32 || type == B1_BLS_THUMB32
1070 |      || type == B1_BGE_THUMB32 || type == B1_BLT_THUMB32 || type == B1_BGT_THUMB32 || type == B1_BLE_THUMB32) {
1071 |         LOGI("B1_CONDITION_THUMB32");
1072 |         LOGI("THUMB32 OPCODE : %x",instruction);
1073 |         uint32_t x;
1074 | 		int top_bit;
1075 | 		uint32_t imm32;
1076 | 		uint32_t value;
1077 |         uint32_t j1;
1078 | 		uint32_t j2;
1079 | 		uint32_t s;
1080 | 
1081 | 
1082 |         //0b 0000 0000 0011 1111 0010 1111 1111 1111 通过填入大数值1048574得到储存数值的位
1083 |         //&0b1111 1111 1100 0000 1101 0000 0000 0000
1084 | 
1085 |         trampoline_instructions[0] = (uint16_t)((high_instruction &0xFFC0)^0x40);
1086 |         trampoline_instructions[1] = (uint16_t)((low_instruction &0xD000)+12/2); //取反后 BXX.W 12
1087 | 
1088 |         trampoline_instructions[2] = 0xF8DF;
1089 | 		trampoline_instructions[3] = 0xF000;	// LDR.W PC, [PC]
1090 | 
1091 |         j1 = (low_instruction & 0x2000) >> 13;
1092 | 		j2 = (low_instruction & 0x800) >> 11;
1093 |         s = (high_instruction & 0x400) >> 10;
1094 |         x = (s << 20) | (j2 << 19) | (j1 << 18) | ((high_instruction & 0x3F) << 12) | ((low_instruction & 0x7FF) << 1);
1095 | 		imm32 = s ? (x | (0xFFFFFFFF << 21)) : x;
1096 | 		value = pc + imm32 + 1;
1097 | 
1098 |         if(isTargetAddrInBackup(value-1,(uint32_t)pstInlineHook->pHookAddr,pstInlineHook->backUpLength)){
1099 |             //backup to backup !
1100 |             LOGI("BtoB in thumb32");
1101 |             int offset_in_backup = 0;
1102 |             int cnt = (value - 1 - ((uint32_t)pstInlineHook->pHookAddr - 1))/2;
1103 |             for(int i=0;i<cnt;i++){
1104 |                 offset_in_backup += pstInlineHook->backUpFixLengthList[i];
1105 |             }
1106 |             value = new_entry_addr + offset_in_backup + 1;
1107 |         }
1108 | 
1109 |         trampoline_instructions[4] = (value & 0xFFFF);
1110 | 		trampoline_instructions[5] = value >> 16;
1111 | 
1112 |         offset = 6;
1113 |      }else if (type == BLX_THUMB32 || type == BL_THUMB32 || type == B1_THUMB32 || type == B2_THUMB32) {
1114 | 		uint32_t j1;
1115 | 		uint32_t j2;
1116 | 		uint32_t s;
1117 | 		uint32_t i1;
1118 | 		uint32_t i2;
1119 | 		uint32_t x;
1120 | 		uint32_t imm32;
1121 | 		uint32_t value;
1122 | 
1123 | 		j1 = (low_instruction & 0x2000) >> 13;
1124 | 		j2 = (low_instruction & 0x800) >> 11;
1125 | 		s = (high_instruction & 0x400) >> 10;
1126 | 		i1 = !(j1 ^ s);
1127 | 		i2 = !(j2 ^ s);
1128 | 
1129 | 		if (type == BLX_THUMB32 || type == BL_THUMB32) {
1130 |             LOGI("BLX_THUMB32 BL_THUMB32");
1131 | 			trampoline_instructions[idx++] = 0xF20F;
1132 | 			trampoline_instructions[idx++] = 0x0E09;	// ADD.W LR, PC, #9
1133 | 		}
1134 | 		else if (type == B1_THUMB32) {
1135 |             LOGI("B1_THUMB32");
1136 | 			trampoline_instructions[idx++] = 0xD000 | ((high_instruction & 0x3C0) << 2);
1137 | 			trampoline_instructions[idx++] = 0xE003;	// B PC, #6
1138 | 		}
1139 | 		trampoline_instructions[idx++] = 0xF8DF;
1140 | 		trampoline_instructions[idx++] = 0xF000;	// LDR.W PC, [PC]
1141 | 		if (type == BLX_THUMB32) {
1142 |             LOGI("BLX_THUMB32");
1143 | 			x = (s << 24) | (i1 << 23) | (i2 << 22) | ((high_instruction & 0x3FF) << 12) | ((low_instruction & 0x7FE) << 1);
1144 | 			imm32 = s ? (x | (0xFFFFFFFF << 25)) : x;
1145 | 			value = pc + imm32;
1146 |             LOGI("blx_thumb32 : value : %x",value);
1147 | 		}
1148 | 		else if (type == BL_THUMB32) {
1149 |             LOGI("BL_THUMB32");
1150 | 			x = (s << 24) | (i1 << 23) | (i2 << 22) | ((high_instruction & 0x3FF) << 12) | ((low_instruction & 0x7FF) << 1);
1151 | 			imm32 = s ? (x | (0xFFFFFFFF << 25)) : x;
1152 | 			value = pc + imm32 + 1;
1153 | 		}
1154 | 		else if (type == B1_THUMB32) {
1155 |             LOGI("B1_THUMB32");
1156 | 			x = (s << 20) | (j2 << 19) | (j1 << 18) | ((high_instruction & 0x3F) << 12) | ((low_instruction & 0x7FF) << 1);
1157 | 			imm32 = s ? (x | (0xFFFFFFFF << 21)) : x;
1158 | 			value = pc + imm32 + 1;
1159 | 		}
1160 | 		else if (type == B2_THUMB32) {
1161 |             LOGI("B2_THUMB32");
1162 | 			x = (s << 24) | (i1 << 23) | (i2 << 22) | ((high_instruction & 0x3FF) << 12) | ((low_instruction & 0x7FF) << 1);
1163 | 			imm32 = s ? (x | (0xFFFFFFFF << 25)) : x;
1164 | 			value = pc + imm32 + 1;
1165 | 		}
1166 | 		trampoline_instructions[idx++] = value & 0xFFFF;
1167 | 		trampoline_instructions[idx++] = value >> 16;
1168 | 		offset = idx;
1169 | 	}
1170 | 	else if (type == ADR1_THUMB32 || type == ADR2_THUMB32 || type == LDR_THUMB32) {
1171 |         LOGI("ADR1_THUMB32 ADR2_THUMB32 LDR_THUMB32");
1172 | 		int r;
1173 | 		uint32_t imm32;
1174 | 		uint32_t value;
1175 | 		
1176 | 		if (type == ADR1_THUMB32 || type == ADR2_THUMB32) {
1177 |             LOGI("ADR1_THUMB32 ADR2_THUMB32");
1178 | 			uint32_t i;
1179 | 			uint32_t imm3;
1180 | 			uint32_t imm8;
1181 | 		
1182 | 			r = (low_instruction & 0xF00) >> 8;
1183 | 			i = (high_instruction & 0x400) >> 10;
1184 | 			imm3 = (low_instruction & 0x7000) >> 12;
1185 | 			imm8 = instruction & 0xFF;
1186 | 			
1187 | 			imm32 = (i << 31) | (imm3 << 30) | (imm8 << 27);
1188 | 			
1189 | 			if (type == ADR1_THUMB32) {
1190 |                 LOGI("ADR1_THUMB32");
1191 | 				value = ALIGN_PC(pc) + imm32;
1192 | 			}
1193 | 			else {
1194 |                 LOGI("ADR2_THUMB32");
1195 | 				value = ALIGN_PC(pc) - imm32;
1196 | 			}
1197 | 		}
1198 | 		else {
1199 |             LOGI("LDR_THUMB32");
1200 | 			int is_add;
1201 | 			uint32_t *addr;
1202 | 			
1203 | 			is_add = (high_instruction & 0x80) >> 7;
1204 | 			r = low_instruction >> 12;
1205 | 			imm32 = low_instruction & 0xFFF;
1206 | 			
1207 | 			if (is_add) {
1208 | 				addr = (uint32_t *) (ALIGN_PC(pc) + imm32);
1209 | 			}
1210 | 			else {
1211 | 				addr = (uint32_t *) (ALIGN_PC(pc) - imm32);
1212 | 			}
1213 | 			
1214 | 			value = addr[0];
1215 | 		}
1216 | 		
1217 | 		trampoline_instructions[0] = 0x4800 | (r << 8);	// LDR Rr, [PC]
1218 | 		trampoline_instructions[1] = 0xE001;	// B PC, #2
1219 | 		trampoline_instructions[2] = value & 0xFFFF;
1220 | 		trampoline_instructions[3] = value >> 16;
1221 | 		offset = 4;
1222 | 	}
1223 | 
1224 | 	else if (type == TBB_THUMB32 || type == TBH_THUMB32) {
1225 |         LOGI("TBB_THUMB32 TBH_THUMB32");
1226 | 		int rm;
1227 | 		int r;
1228 | 		int rx;
1229 | 		
1230 | 		rm = low_instruction & 0xF;
1231 | 		
1232 | 		for (r = 7;; --r) {
1233 | 			if (r != rm) {
1234 | 				break;
1235 | 			}
1236 | 		}
1237 | 		
1238 | 		for (rx = 7; ; --rx) {
1239 | 			if (rx != rm && rx != r) {
1240 | 				break;
1241 | 			}
1242 | 		}
1243 | 		
1244 | 		trampoline_instructions[0] = 0xB400 | (1 << rx);	// PUSH {Rx}
1245 | 		trampoline_instructions[1] = 0x4805 | (r << 8);	// LDR Rr, [PC, #20]
1246 | 		trampoline_instructions[2] = 0x4600 | (rm << 3) | rx;	// MOV Rx, Rm
1247 | 		if (type == TBB_THUMB32) {
1248 |             LOGI("TBB_THUMB32");
1249 | 			trampoline_instructions[3] = 0xEB00 | r;
1250 | 			trampoline_instructions[4] = 0x0000 | (rx << 8) | rx;	// ADD.W Rx, Rr, Rx
1251 | 			trampoline_instructions[5] = 0x7800 | (rx << 3) | rx; 	// LDRB Rx, [Rx]
1252 | 		}
1253 | 		else if (type == TBH_THUMB32) {
1254 |             LOGI("TBH_THUMB32");
1255 | 			trampoline_instructions[3] = 0xEB00 | r;
1256 | 			trampoline_instructions[4] = 0x0040 | (rx << 8) | rx;	// ADD.W Rx, Rr, Rx, LSL #1
1257 | 			trampoline_instructions[5] = 0x8800 | (rx << 3) | rx; 	// LDRH Rx, [Rx]
1258 | 		}
1259 | 		trampoline_instructions[6] = 0xEB00 | r;
1260 | 		trampoline_instructions[7] = 0x0040 | (r << 8) | rx;	// ADD Rr, Rr, Rx, LSL #1
1261 | 		trampoline_instructions[8] = 0x3001 | (r << 8);	// ADD Rr, #1
1262 | 		trampoline_instructions[9] = 0xBC00 | (1 << rx);	// POP {Rx}
1263 | 		trampoline_instructions[10] = 0x4700 | (r << 3);	// BX Rr
1264 | 		trampoline_instructions[11] = 0xBF00;
1265 | 		trampoline_instructions[12] = pc & 0xFFFF;
1266 | 		trampoline_instructions[13] = pc >> 16;
1267 | 		offset = 14;
1268 | 	}
1269 | 	else {
1270 |         LOGI("OTHER_THUMB32");
1271 | 		trampoline_instructions[0] = high_instruction;
1272 | 		trampoline_instructions[1] = low_instruction;
1273 | 		offset = 2;
1274 | 	}
1275 | 
1276 | 	return offset*2;
1277 | }


--------------------------------------------------------------------------------
/jni/InlineHook/fixPCOpcode.h:
--------------------------------------------------------------------------------
 1 | #ifndef _FIXOPCODE_H
 2 | #define _FIXOPCODE_H
 3 | 
 4 | #include <stdio.h>
 5 | #include "Ihook.h"
 6 | 
 7 | #define ALIGN_PC(pc)	(pc & 0xFFFFFFFC)
 8 | 
 9 | bool isThumb32(uint16_t opcode);
10 | bool isTargetAddrInBackup(uint32_t target_addr, uint32_t hook_addr, int backup_length);
11 | 
12 | int lengthFixThumb32(uint32_t opcode);
13 | int lengthFixArm32(uint32_t opcode);
14 | int lengthFixThumb16(uint16_t opcode);
15 | 
16 | static int getTypeInArm32(uint32_t instruction);
17 | static int getTypeInThumb16(uint16_t instruction);
18 | static int getTypeInThumb32(uint32_t instruction);
19 | 
20 | 
21 | int fixPCOpcodeArm(void *fixOpcodes , INLINE_HOOK_INFO* pstInlineHook);
22 | int fixPCOpcodeThumb(void *fixOpcodes , INLINE_HOOK_INFO* pstInlineHook);
23 | int fixPCOpcodeArm32(uint32_t pc, uint32_t lr, uint32_t instruction, uint32_t *trampoline_instructions, INLINE_HOOK_INFO* pstInlineHook);
24 | int fixPCOpcodeThumb16(uint32_t pc, uint16_t instruction, uint16_t *trampoline_instructions, INLINE_HOOK_INFO* pstInlineHook);
25 | int fixPCOpcodeThumb32(uint32_t pc, uint16_t high_instruction, uint16_t low_instruction, uint16_t *trampoline_instructions, INLINE_HOOK_INFO* pstInlineHook);
26 | 
27 | #endif


--------------------------------------------------------------------------------
/jni/InlineHook/ihookstub.s:
--------------------------------------------------------------------------------
 1 | .global _shellcode_start_s
 2 | .global _shellcode_end_s
 3 | .global _hookstub_function_addr_s
 4 | .global _old_function_addr_s
 5 | 
 6 | .data
 7 | 
 8 | _shellcode_start_s:
 9 |     push    {r0, r1, r2, r3}
10 |     mrs     r0, cpsr
11 |     str     r0, [sp, #0xC]
12 |     str     r14, [sp, #8]   
13 |     add     r14, sp, #0x10
14 |     str     r14, [sp, #4]    
15 |     pop     {r0}               
16 |     push    {r0-r12}           
17 |     mov     r0, sp
18 |     ldr     r3, _hookstub_function_addr_s
19 |     blx     r3
20 |     ldr     r0, [sp, #0x3C]
21 |     msr     cpsr, r0
22 |     ldmfd   sp!, {r0-r12}       
23 |     ldr     r14, [sp, #4]
24 |     ldr     sp, [r13]
25 |     ldr     pc, _old_function_addr_s
26 |     
27 | _hookstub_function_addr_s:
28 | .word 0xffffffff
29 | 
30 | _old_function_addr_s:
31 | .word 0xffffffff
32 | 
33 | _shellcode_end_s:
34 | 
35 | .end
36 | 


--------------------------------------------------------------------------------
/jni/InlineHook/ihookstubthumb.s:
--------------------------------------------------------------------------------
 1 | .global _shellcode_start_s_thumb
 2 | .global _shellcode_end_s_thumb
 3 | .global _hookstub_function_addr_s_thumb
 4 | .global _old_function_addr_s_thumb
 5 | 
 6 | .data
 7 | 
 8 | _shellcode_start_s_thumb:
 9 |     push    {r0, r1, r2, r3}
10 |     mrs     r0, cpsr
11 |     str     r0, [sp, #0xC]
12 |     str     r14, [sp, #8]   
13 |     add     r14, sp, #0x10
14 |     str     r14, [sp, #4]    
15 |     pop     {r0}               
16 |     push    {r0-r12}           
17 |     mov     r0, sp //pass the reg
18 |     ldr     r3, _hookstub_function_addr_s_thumb //to protect r3， then i notice the reg is passed by r0.
19 |     blx     r3
20 |     ldr     r3, _old_function_addr_s_thumb
21 |     and     r3, r3, #0xfffffffe //bic     r3, r3, #1
22 |     add     r3, r3, #0x1
23 |     str     r3, _old_function_addr_s_thumb
24 |     ldr     r3, [sp, #-0x34]
25 |     ldr     r0, [sp, #0x3C]
26 |     msr     cpsr, r0
27 |     ldmfd   sp!, {r0-r12}       
28 |     ldr     r14, [sp, #4]
29 |     ldr     sp, [r13]
30 |     ldr     pc, _old_function_addr_s_thumb
31 |     
32 | _hookstub_function_addr_s_thumb:
33 | .word 0xffffffff
34 | 
35 | _old_function_addr_s_thumb:
36 | .word 0xffffffff
37 | 
38 | _shellcode_end_s_thumb:
39 | 
40 | .end
41 | 


--------------------------------------------------------------------------------
/jni/Interface/.DS_Store:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GToad/Android_Inline_Hook_Thumb_Example/84af85b113536d431b25110567f5784d750edd3b/jni/Interface/.DS_Store


--------------------------------------------------------------------------------
/jni/Interface/Android.mk:
--------------------------------------------------------------------------------
 1 | LOCAL_PATH := $(call my-dir)  
 2 | 
 3 | 
 4 | include $(CLEAR_VARS)
 5 | 
 6 | LOCAL_CXXFLAGS +=  -g -O0
 7 | LOCAL_ARM_MODE := arm
 8 | LOCAL_MODULE    := InlineThumbHook
 9 | LOCAL_STATIC_LIBRARIES:= IHook
10 | LOCAL_C_INCLUDES := $(LOCAL_PATH)/../InlineHook
11 | LOCAL_SRC_FILES := InlineHook.cpp
12 | LOCAL_LDLIBS += -L$(SYSROOT)/usr/lib -llog
13 | 
14 | include $(BUILD_SHARED_LIBRARY)


--------------------------------------------------------------------------------
/jni/Interface/InlineHook.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GToad/Android_Inline_Hook_Thumb_Example/84af85b113536d431b25110567f5784d750edd3b/jni/Interface/InlineHook.cpp


--------------------------------------------------------------------------------
/libs/armeabi-v7a/libInlineThumbHook.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GToad/Android_Inline_Hook_Thumb_Example/84af85b113536d431b25110567f5784d750edd3b/libs/armeabi-v7a/libInlineThumbHook.so


--------------------------------------------------------------------------------
/notThumbHooked.mp4:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GToad/Android_Inline_Hook_Thumb_Example/84af85b113536d431b25110567f5784d750edd3b/notThumbHooked.mp4


--------------------------------------------------------------------------------
/obj/local/armeabi-v7a/libIHook.a:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GToad/Android_Inline_Hook_Thumb_Example/84af85b113536d431b25110567f5784d750edd3b/obj/local/armeabi-v7a/libIHook.a


--------------------------------------------------------------------------------
/obj/local/armeabi-v7a/libInlineArmHook.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GToad/Android_Inline_Hook_Thumb_Example/84af85b113536d431b25110567f5784d750edd3b/obj/local/armeabi-v7a/libInlineArmHook.so


--------------------------------------------------------------------------------
/obj/local/armeabi-v7a/libInlineHook.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GToad/Android_Inline_Hook_Thumb_Example/84af85b113536d431b25110567f5784d750edd3b/obj/local/armeabi-v7a/libInlineHook.so


--------------------------------------------------------------------------------
/obj/local/armeabi-v7a/libInlineThumbHook.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GToad/Android_Inline_Hook_Thumb_Example/84af85b113536d431b25110567f5784d750edd3b/obj/local/armeabi-v7a/libInlineThumbHook.so


--------------------------------------------------------------------------------
/obj/local/armeabi-v7a/objs/IHook/IHook.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GToad/Android_Inline_Hook_Thumb_Example/84af85b113536d431b25110567f5784d750edd3b/obj/local/armeabi-v7a/objs/IHook/IHook.o


--------------------------------------------------------------------------------
/obj/local/armeabi-v7a/objs/IHook/IHook.o.d:
--------------------------------------------------------------------------------
1 | ./obj/local/armeabi-v7a/objs/IHook/IHook.o: jni/InlineHook/IHook.c \
2 |   jni/InlineHook/Ihook.h jni/InlineHook/fixPCOpcode.h
3 | 
4 | jni/InlineHook/Ihook.h:
5 | 
6 | jni/InlineHook/fixPCOpcode.h:
7 | 


--------------------------------------------------------------------------------
/obj/local/armeabi-v7a/objs/IHook/fixPCOpcode.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GToad/Android_Inline_Hook_Thumb_Example/84af85b113536d431b25110567f5784d750edd3b/obj/local/armeabi-v7a/objs/IHook/fixPCOpcode.o


--------------------------------------------------------------------------------
/obj/local/armeabi-v7a/objs/IHook/fixPCOpcode.o.d:
--------------------------------------------------------------------------------
1 | ./obj/local/armeabi-v7a/objs/IHook/fixPCOpcode.o: \
2 |   jni/InlineHook/fixPCOpcode.c jni/InlineHook/fixPCOpcode.h \
3 |   jni/InlineHook/Ihook.h
4 | 
5 | jni/InlineHook/fixPCOpcode.h:
6 | 
7 | jni/InlineHook/Ihook.h:
8 | 


--------------------------------------------------------------------------------
/obj/local/armeabi-v7a/objs/IHook/ihookstub.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GToad/Android_Inline_Hook_Thumb_Example/84af85b113536d431b25110567f5784d750edd3b/obj/local/armeabi-v7a/objs/IHook/ihookstub.o


--------------------------------------------------------------------------------
/obj/local/armeabi-v7a/objs/IHook/ihookstubthumb.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GToad/Android_Inline_Hook_Thumb_Example/84af85b113536d431b25110567f5784d750edd3b/obj/local/armeabi-v7a/objs/IHook/ihookstubthumb.o


--------------------------------------------------------------------------------
/obj/local/armeabi-v7a/objs/InlineArmHook/InlineHook.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GToad/Android_Inline_Hook_Thumb_Example/84af85b113536d431b25110567f5784d750edd3b/obj/local/armeabi-v7a/objs/InlineArmHook/InlineHook.o


--------------------------------------------------------------------------------
/obj/local/armeabi-v7a/objs/InlineArmHook/InlineHook.o.d:
--------------------------------------------------------------------------------
1 | ./obj/local/armeabi-v7a/objs/InlineArmHook/InlineHook.o: \
2 |   jni/Interface/InlineHook.cpp \
3 |   C:/Users/GToad/AppData/Local/Android/Sdk/ndk-bundle/build//../sources/cxx-stl/gnu-libstdc++/4.9/include\vector \
4 |   jni/Interface/../InlineHook\Ihook.h
5 | 
6 | C:/Users/GToad/AppData/Local/Android/Sdk/ndk-bundle/build//../sources/cxx-stl/gnu-libstdc++/4.9/include\vector:
7 | 
8 | jni/Interface/../InlineHook\Ihook.h:
9 | 


--------------------------------------------------------------------------------
/obj/local/armeabi-v7a/objs/InlineHook/InlineHook.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GToad/Android_Inline_Hook_Thumb_Example/84af85b113536d431b25110567f5784d750edd3b/obj/local/armeabi-v7a/objs/InlineHook/InlineHook.o


--------------------------------------------------------------------------------
/obj/local/armeabi-v7a/objs/InlineHook/InlineHook.o.d:
--------------------------------------------------------------------------------
1 | ./obj/local/armeabi-v7a/objs/InlineHook/InlineHook.o: \
2 |   jni/Interface/InlineHook.cpp \
3 |   C:/Users/GToad/AppData/Local/Android/Sdk/ndk-bundle/build//../sources/cxx-stl/gnu-libstdc++/4.9/include\vector \
4 |   jni/Interface/../InlineHook\Ihook.h
5 | 
6 | C:/Users/GToad/AppData/Local/Android/Sdk/ndk-bundle/build//../sources/cxx-stl/gnu-libstdc++/4.9/include\vector:
7 | 
8 | jni/Interface/../InlineHook\Ihook.h:
9 | 


--------------------------------------------------------------------------------
/obj/local/armeabi-v7a/objs/InlineThumbHook/InlineHook.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GToad/Android_Inline_Hook_Thumb_Example/84af85b113536d431b25110567f5784d750edd3b/obj/local/armeabi-v7a/objs/InlineThumbHook/InlineHook.o


--------------------------------------------------------------------------------
/obj/local/armeabi-v7a/objs/InlineThumbHook/InlineHook.o.d:
--------------------------------------------------------------------------------
1 | ./obj/local/armeabi-v7a/objs/InlineThumbHook/InlineHook.o: \
2 |   jni/Interface/InlineHook.cpp \
3 |   C:/Users/GToad/AppData/Local/Android/Sdk/ndk-bundle/build//../sources/cxx-stl/gnu-libstdc++/4.9/include\vector \
4 |   jni/Interface/../InlineHook\Ihook.h
5 | 
6 | C:/Users/GToad/AppData/Local/Android/Sdk/ndk-bundle/build//../sources/cxx-stl/gnu-libstdc++/4.9/include\vector:
7 | 
8 | jni/Interface/../InlineHook\Ihook.h:
9 | 


--------------------------------------------------------------------------------
/thumb-2-example.apk:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GToad/Android_Inline_Hook_Thumb_Example/84af85b113536d431b25110567f5784d750edd3b/thumb-2-example.apk


--------------------------------------------------------------------------------
/thumb-2-example.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GToad/Android_Inline_Hook_Thumb_Example/84af85b113536d431b25110567f5784d750edd3b/thumb-2-example.zip


--------------------------------------------------------------------------------
/thumb-2-example/libnative-lib.idb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GToad/Android_Inline_Hook_Thumb_Example/84af85b113536d431b25110567f5784d750edd3b/thumb-2-example/libnative-lib.idb


--------------------------------------------------------------------------------
/thumb-2-example/libnative-lib.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GToad/Android_Inline_Hook_Thumb_Example/84af85b113536d431b25110567f5784d750edd3b/thumb-2-example/libnative-lib.so


--------------------------------------------------------------------------------
/thumbhook.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GToad/Android_Inline_Hook_Thumb_Example/84af85b113536d431b25110567f5784d750edd3b/thumbhook.pdf


--------------------------------------------------------------------------------
/todo.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GToad/Android_Inline_Hook_Thumb_Example/84af85b113536d431b25110567f5784d750edd3b/todo.txt


--------------------------------------------------------------------------------